procmail
[Top] [All Lists]

Re: virus recipe for MyDoom

2004-01-30 19:01:42
At 12:09 2004-01-30 -0700, LuKreme wrote:
On 27 Jan 2004, at 08:37, Dallman Ross wrote:
Why don't users have standard commercial anti-virus programs in place on their workstations?

Most of them do. But of course, by the time a virus is identified and the anti-virus software is updated and people update their anti-virus... well, but then it is too late for many many people.

Too late for the people moronic or uninformed enough to:

        * use mail agents known to have frequent security problems
                (the aptly named MS OutBreak comes to mind)

        * use web browsers which have a new, critically serious vulnerability
                discovered every couple of weeks or so (MS claims they can't
                release fixes for the current version browsers until they've
                regression tested the same fixes for older browsers, but I
don't rightly recall them releasing updates for MSIE4 and MSIE5
                anyway, since their "fix" is invariably to require you to
                install their latest and greatest).  MS still doesn't have a
                fix for the forged URL problem, and there's already a forged
                file extension vulnerability.  Combine the two, and anyone
                running MSIE is in serious trouble.

        * open and run attachents just for the hell of it.

As a rule, if I didn't _REQUEST_ an attachment, or it's not obviously part of an exhange I'm having with someone (and well, I don't use email for file exchanges anyway), I don't open it. No how, no way. For ZIP files, which I've always regarded as the safe way to pass executable files between parties (which is why I've got no qualms with ditching ALL executable files in a global filter on my mailserver), I don't run any ZIP software that auto-executes files, and I'd still need to be EXPECTING something from someone.

PGP signing remains the best option for sending messages with program attachments. If the message doesn't carry a valid signature, then it's trash.

Curiously, despite having been active in BBS systems, downloading shareware software by the bucketload for years, as well as being on this internet thang for over a decade, I've _NEVER_ had a virus infection on any of my systems, and I run quite a few. NEVER, as in NONE, not even once. I've got an isolated system I use for testing things and it's been infected a few times, but that's one of it's roles - to act as a digital petri dish: its various OS loads are burned on CD and restored after tests have been run, so it's frequently refreshed. It permits me to examine (when I want or need to), the filesystem interraction of a virus, or the network signature produced by one. This can be quite handy when you're pulling someone elses's ass out of a fire, because in a controlled environment, it's much easier to get a snapshot of before and after, which in turn makes it easier to roll on over to another system and fix things, even before the specifics of a virus have become known. Or, when the characteristics of a virus make it difficult to install A/V software on the already-infected machine (we're talking Windowze here of course).

FTR, I don't run an A/V program (not an automated one - I do have A/V stuff on the network to scan filesets, but it isn't something that is "installed" or running all the time). I used to ages ago, but found they caused too many problems (at the time, largely performance related, but nowadays, it's a combination of performance, compatibility, and false security), and, as noted, you've got to constantly be on top of the definition updates, and even if you are religious about them, they only get updated *AFTER* A/V firms have had an opportunity to review viruses from the wild and develop definitions and disinfection routines for them. How many people get hit by a new virus before the A/V firms have had an opportunity to react?

Once you accept that an A/V program provides a false security, and accept that you have to take responsibility for what you run, you're much better off.

Bottom line: a proactive and relatively generic approach will serve you much better than trusting in any A/V program can. The problem is the careless mentality of so many users. These would be the same morons who cleartext virtually everyone in their addressbook (many of whom don't know one another) to send a personal message, which results in every one of those peoples addresses appearing in other people's inboxes, to be harvested by viruses.

These same idiots are the type of people who think "I installed an A/V program on my computer three years ago [and haven't done ANYTHING to update it since], so I must be safe."

Possibly many felt quite secure running their Norton and opening the MyDooom file the first couple of days.



Personally, i am ambivalent to some small degree about mydoom. On the one hand it's a trojan and it screws up my bandwidth and is BAD. On the other hand, it infects MS malware to attack SCO, and that's kinda GOOD.

No, it's bad all around. SCO doesn't have a legal leg to stand on, and when/if they ever manage to get to court with their BS, it'll go down in flames on the (dis-)merit of their case. No need to royally screw the entire internet.

The DoS is pretty stupid too - so, SCO knows their network is going to be abused, and when. Guess what? Reach into those deep pockets (or those of Uncle Gates, who owns a 25% share, just in case anyone wonders about the origins of this push for action against Linux), and set up proxy web servers, plus an alternate IP network. Proxy servers issue a redirect (an action which takes very little processing overhead, and can certainly be distributed among many hosts) for all the web requests, possibly after first probing the connecting system for legitimacy. If the connecting system is suspect, then they dynamically add it to a firewall (whose rules get expired say after 12 hours). Sure, there's still a network headache, but it hardly brings the organization to its knees.

And besides, who all bothers to visit the SCO website anyway? I suspect that saturating the SCO network in a DoS would only serve to reduce their performance of playing Quake or somesuch between campuses.


Remember: malware has no legitimate purpose. It causes problems for all sorts of people, even the ones who aren't running the target software (surely CodeRed and Nimda ring bells for people operating webservers - unix webservers weren't subject to the bug they were exploiting, but that didn't mean the viruses weren't trying their best to hammer them). FTR, my response to CodeRed (and II) as well as Nimda was to produce a script which the server redirects all .DLL and similar requests to, and that script sorts out what type of virus is making the request, then performs whois and netblock lookups and sends an infection report to the provider responsible for the infected host. The source IP gets added to a cache and subsequently ignored (reducing server load, but also avoiding repeat notifications) for 24 hours, at which time it expires from the cache, and can once again visit the site (possibly legitimatley, or to invoke the warning mechanism again).

This isn't rocket science.

---
 Sean B. Straw / Professional Software Engineering

 Procmail disclaimer: <http://www.professional.org/procmail/disclaimer.html>
 Please DO NOT carbon me on list replies.  I'll get my copy from the list.


_______________________________________________
procmail mailing list
procmail(_at_)lists(_dot_)RWTH-Aachen(_dot_)DE
http://MailMan.RWTH-Aachen.DE/mailman/listinfo/procmail

<Prev in Thread] Current Thread [Next in Thread>